Author
Topic: Ethernet on/off switch (Read 3376 times)

Hi all,I'd like to preface this question with a mention to someone who had posted the same idea on this forum.His idea was pretty much effed by people who didn't understand what he wanted, and by ignorance or the old 'I know better'thoughts pretty much broke the subject.So, I'll try to explain in a better way exactly what I want to achieve.What I'm trying to create is an ethernet controlled on/off switch. This would involve an ethernet module to take an on/off commandand turn the other side of the ethernet connection on or off.I assume there are multiple 1-in/multi out relay ICs (or mosfets) to handle the switching but haven't yet found anything yetso I'm hoping for some thoughts from you guys.

I'm not sure if I got your goal.What I understand is:A box, sitting in the middle of an ethernet cable, that is able to receive an on/off command from one side of the cable, and then opens or closes the cable through connection?

One managed switch chip, a couple of PHYs, and a PIC32 or such (Just for the ethernet stack and built in mac address), the rest is just a small matter of typing and pushing some copper around on a PCB.

However, surely easier to just run something on the endpoint that takes the interface down when you want ethernet off, and brings it back up when you want it on? ifdown eth0 and ethup eth0 are not exactly difficult things to paraphrase even in Winders.

If I wanted this thing for some reason I would probably just be straight on ebay for a managed switch and just control one of the ports over SNMP, 20 quid or so and maybe 15 minutes to write the control program.

This sounds like an XY problem. What is the problem you are trying to solve with this? Is there something you're not mentioning, like protection from HV or strong fields? What's wrong with disconnecting in software or turning the port off?

That's exactly what I'm after.The purpose is to ensure that a server or backup device is safely taken offline.An expansion on this would be another device on the network to send on/off packets to more than 1 of these devices.Thanks.

I'm not sure if I got your goal.What I understand is:A box, sitting in the middle of an ethernet cable, that is able to receive an on/off command from one side of the cable, and then opens or closes the cable through connection?

The purpose is to automate isolation of a server or backup device.The reason is that I've recently seen ransomware attacks on companies where things may have gone betterif they had taken a server offline after a backup and/or the backup NAS device which has domain shares active.

This sounds like an XY problem. What is the problem you are trying to solve with this? Is there something you're not mentioning, like protection from HV or strong fields? What's wrong with disconnecting in software or turning the port off?

You're not going to mitigate a ransomware attack by isolating an ethernet connection if the host is already infected.

The best way to protect your backups is to run a *proper* backup routine and you need to do some research into how long ransomware will be quietly running and encrypting your data before announcing itself to you.

Plan your backup routine around that.

However, if you want to pursue this avenue then plug your servers into a switch (or multiple switches if you want redundancy), have each switch you want to isolate powered from a managed PDU, switch off the whole PDU.

Someone else has already mentioned a solution which would be my preference, a decent quality managed switch will allow you to switch off individual ports and it can be done via script from the host you want to isolate as a scheduled task so it only happens when your backup is finished or about to start.

What I'm trying to create is an ethernet controlled on/off switch. This would involve an ethernet module to take an on/off commandand turn the other side of the ethernet connection on or off.

Some background:

So, I have a chunk of automated test gear. Part of this is automated test is to test connectivity to an ethernet port. However, before I hook the unit under test to ethernet, I want to do some electrical testing to make sure all the connections are electrically ok. So, I switch the ethernet to the rest of the test gear.

What I am about to describe is how I do this. BEFORE I DO, SOME DISCLAIMERS: This does NOT preserve the balanced signal on the ethernet correctly. This SHOULDN'T BE TRUSTED to always work. In particular ethernet can be more fussy and also less fussy than you'd expect. So this method can add severe flakiness to your ethernet connection.

With that in mind, it works well enough for me to do 100Mb/s traffic tests through the device.

They also make an 8 relay version, which might be better suited for your needs (I needed a few other things switched, which is why I used the 16 instead of an .

For each of the 8 wires in the CAT5 cable, each gets switched by a single relay. In my case, it switches between the test equipment and an ethernet port. I wrote a chunk of software for the arduino that switches the relays. Like I said, it works well enough, but again we're only taking a few feet of ethernet cable here, so the signal has a lot of room for the problems introduced by running these through relays. Actually now I think about this I might have only switched the 4 which are used in the 10/100 ethernet standard, but the premise is the same.

We've just done this recently on a site up North. Run the network through a cheap 5 port gigE dumb switch and just drop power to the switch with a relay. The other option was literally a pigtail with a plug on the end, and a panel mounted socket where the security officer could pull the plug out. We figured the switch and relay would tolerate more long term abuse than letting someone just yank a plug.

I'm currently working on a site where they have a bit of vero board and 4 dpdt relays on it breaking 2 pin network connections. 4 PCB mount 8P8C RJ connectors, 4 dpdt 5V relays, lots of green wire and some superglue. It has apparently been in place since 2008 and I'm reliably informed has never caused an issue. Can't say I love the solution, but I can't argue with the results.

If a true physical disconnect is required, a miniature DIL DPST reed relay per pair would minimise the impedance discontinuity. Add a grounded foil shield over the reed relay and a ground plane under it and it should be reasonably trouble free for 100BASE-TX Ethernet, as long as the total cable length is small compared to the specified 100m max cable length. As 10BASE-T and 100BASE-TX only use two pairs in the cable you only need two DPST reed relays - the other pairs can be left open circuit.

For gigabit ethernet you are probably S.O.L. but it *MAY* be workable if you switch all four pairs within a few inches of the switch or device socket and keep minimise the total cable length.

You can get DPDT reed relays - at a price - which would allow switching between live ethernet and a test jig like Forrestc was doing. However if your testing involves POE, you may run into problems with contact welding due to inrush current + contact bounce, and DPDT mercury wetted reed relays that can handle the current, are rare, expensive and not ROHS compliant.

That's exactly what I'm after.The purpose is to ensure that a server or backup device is safely taken offline.An expansion on this would be another device on the network to send on/off packets to more than 1 of these devices.Thanks.

I'm not sure if I got your goal.What I understand is:A box, sitting in the middle of an ethernet cable, that is able to receive an on/off command from one side of the cable, and then opens or closes the cable through connection?

OK, then I'd suggest to use a simple and cheap 5port Ethernet switch, a bunch of suitable small signal relays and some ethernet-enabled MCU evaluation module.Connect the incoming ethernet to one port, the module to the next port and for the outgoing port, put the relays in series with the cable. You're near the termination, so some mismatching caused by the relays won't hurt too much. Use a GPIO from the module to control the relays, place some firmware (including a TCP/IP stack) on the module, assign a valid IP address to the moduel and receive the on/off command.So you've left two ports, you could use them to isolate two more devices the same way.Connect another MCU module somewhere else to the network, assing IP etc, and e.g. use its GPIO inputs to trigger sending the commands.

Which MCU module to use is up to your favour and skills, I'd use one of these STM32 nucleo 144 boards (including ethernet), they are cheap (~ 20 EUR), and you can find working implementations of some RTOS with LWIP, providing you with all the network related stuff.

For the relays, a decent small signal relay like the ones used in oscilloscopes to switch the attenuator will do the job. Most of them are DPDT, so you'll need four of them per port.

For a more advanced / elegant solution, search for a recent ethernet switch IC (the ones that are inside your typical 5 or 8 port domestic use gigabit ethernet switches), most of them have some kind of configuration interface. Hook your MCU module to one port of this switch for the ethernet connection, connect the configuration interface to the MCU module and use this to enable / disable the target ports of the switch. Maybe you can re-use one of these off-the-shell 8port switches, some of them have an internal small MCU for the basic initialisation of the switch IC. Remove this IC and connect your MCU module instead, the rest is reading datasheets and a bit of reverse engineering. So you basically roll your own managed switch, using a protocol of your choice.

Anyway, I'd just go and buy a suitable managed switch and use the standard protocols / manufacturer provided software.